You may or may not know that by default, any authenticated user has the ability to join 10 computers to your domain which is going to increase your attack surface, but all is not lost, you can remove this ability pretty easily. Just follow these simple steps (as a Domain Admin):

Run Adsiedit.msc

Expand the ‘Domain NC‘ node.

This node contains an object that begins with “DC=” and reflects the correct domain name.

Right-click this object, and then click Properties.

In the Select which properties to view box, click Both.

In the Select a property to view box, click ms-DS-MachineAccountQuota.

In the Edit Attribute box, type the number of workstations that you want users to be able to maintain concurrently.

Click Set, and then click OK.

Once you’re done, authenticated users will only be allowed to add the number of machines you sepcify (I’d suggest none!). This is all detailed in the Microsoft KB article HERE